I'm looking at this and this and it would appear 'easy' to send the credentials in the URL. For example:

http://gooduser:secretpassword@www.example.com/webcallback?foo=bar

This is all well and good but it doesnt work. I've turned fiddler on and for Chrome the Authorization header isnt sent. It appears to exhibit the same behaviour for other browsers (i've got a breakpoint on the server and no Authorize header turns up for Firefox,Safari or IE either)

How to make it better?

Stumbled across this while researching various basic auth implementations.

Browsers generally only send basic auth if they receive a 401 challenge response from the server (more on basic auth protocol). If the endpoint in question accepts both authenticated and non-authenticated users, then a browser-based request will likely never be prompted for the auth parameters.

The easiest way to test this type of setup is to send a curl request (which sends the authentication parameters regardless) to your server endpoint and validate receipt of the authorization header:

curl 'http://gooduser:secretpassword@www.example.com/webcallback?foo=bar'

OK so after much searching and experimenting the approach

http://gooduser:secretpassword@www.example.com/webcallback?foo=bar

does work. However one needs to be careful to ensure that the secret password DOES NOT contain any special characters. Use a password containing only letters and numbers and a hypen(if you must) and it should work.